FTP woes

[drhex2000]

Hi group,

we are seeing big problems with transmitting lots fo small files via FTP to some clients through Checkpoint. We have tried in various variants with/without FW, NATing and such and come to the conclusion that CP slows the connection down to a large extent and also drops connections sometimes. We use passive FTP and do keep the control connection open to speed things up.
Is there any way to completely disable the FTP security server (according to our support, no) or debug this thing in a way that we can identify the issues?

Thanks in advance,

Florian

[chuachongchee]

Hi, can provide more info??

What's your environment like? Firewall specs, checkpoint version, hfa etc?

[drhex2000]

Hi,

NGX R65 SPLAT cluster on Dell 1425. HA config, no loadsharing. Active FTP does not change anything either - we are at a slight loss here.
Thanks,

Florian

[chuachongchee]

Quote:

Originally Posted by drhex2000

Hi,

NGX R65 SPLAT cluster on Dell 1425. HA config, no loadsharing. Active FTP does not change anything either - we are at a slight loss here.
Thanks,

Florian

Hmm... seems weird, have you tried to disable smartdef entirely or do a direct routing for ftp, not nat, any luck?

Any AV or UTM features turned on? SecureXL? Floodgate?

[drhex2000]

Yes, I tried to disable Smartdefense, albeit to no avail. I cannot disable the security server completely (and therefore cannot check direct routing), as this is impossible according to my reseller - or is it not?

Thanks,

Florian

[chuachongchee]

Quote:

Originally Posted by drhex2000

Yes, I tried to disable Smartdefense, albeit to no avail. I cannot disable the security server completely (and therefore cannot check direct routing), as this is impossible according to my reseller - or is it not?

Thanks,

Florian

One thing to try...

1) Go "Manage" > "Services"
2) Edit the "FTP" protocol
3) Go to Advanced config
4) Under protocol type choose "none"
5) Install policy

See of this helps??

[drhex2000]

Hi,

OK, tried your advice, albeit without luck:
Changing the protocol type and moving all the other FTP services to another port still gives me security server messages on connection and makes the whole thing REALLY slow (probably would have to open all other ports by hand...). So this does not give me direct FTP to the outside world. Any other ideas?

Thanks,

Florian

[chuachongchee]

Quote:

Originally Posted by drhex2000

Hi,

OK, tried your advice, albeit without luck:
Changing the protocol type and moving all the other FTP services to another port still gives me security server messages on connection and makes the whole thing REALLY slow (probably would have to open all other ports by hand...). So this does not give me direct FTP to the outside world. Any other ideas?

Thanks,

Florian

Let me get some things straight... What are the specs on your Dell 1425??

Any HFAs installed?

Next, now when you say "slow", can provide some figures??

If possible, from the SAME client and server, AND using the SAME file(s), do 2 tests, one direct n one through firewall.. Whats the performance diff??

[drhex2000]

Hi,

thanks for continuing to look into this! I really appreciate it.
OK, for the Dells: Plain vanilla 1425 with two procs, 4GB RAM each and an additional Dell 2 port GE card.
Concerning the speed: On sending large files, I am quite happy - I can easily send them at +7 MBit, which is probably as fast as I will get to the remote location. My problem is that on sending many small (<1kByte, about 3-5 per s) files with a persistent control connection, I get random packet loss. Usually files transfer in about 0,01s, I have random (about every 100th file) longer delivery times, which can be up to 10s - usually this affects about 5 files until everything quietens down again. Sometimes I do loose the connection alltogether, which then causes a 30s timeout in my delivery software. Alltogether, these random lags lead to queuing of up to ten min., which is completely unacceptable for the app. Behaviour is the same to an internal FTP server (obviously routed through the FW twice), while a direct connection doe not exhibit this. Additional hops (the final conn is from UK to I) make it even worse.

Thanks again,

Florian

[chuachongchee]

Quote:

Originally Posted by drhex2000

Hi,

thanks for continuing to look into this! I really appreciate it.
OK, for the Dells: Plain vanilla 1425 with two procs, 4GB RAM each and an additional Dell 2 port GE card.
Concerning the speed: On sending large files, I am quite happy - I can easily send them at +7 MBit, which is probably as fast as I will get to the remote location. My problem is that on sending many small (<1kByte, about 3-5 per s) files with a persistent control connection, I get random packet loss. Usually files transfer in about 0,01s, I have random (about every 100th file) longer delivery times, which can be up to 10s - usually this affects about 5 files until everything quietens down again. Sometimes I do loose the connection alltogether, which then causes a 30s timeout in my delivery software. Alltogether, these random lags lead to queuing of up to ten min., which is completely unacceptable for the app. Behaviour is the same to an internal FTP server (obviously routed through the FW twice), while a direct connection doe not exhibit this. Additional hops (the final conn is from UK to I) make it even worse.

Thanks again,

Florian

This somehow looks so called "normal".. all network devices suffered performance degradation when handling small packets.. even the highest throughput firewalls can do 40Gbps @ 1518 packet size... when packet size drops to 64kbps, performance drops to ~~5.6Gbps....

So think about ur Wintel machines, they are in fact jus normal pc!


One last thing.. try to run FW monitor and tcpdump both at the same time in raw modes, dump them to files, run comparisons, look at the ack, sack, packets in out... make sure its all correct... look for 2 Is, 2 O, (in) interface, (in) firewall, (out) firewall, (out) interface.. At the same time, run a "fw ctl zdebug drop" and see what actually is being dropped...


One other last thing **GURP** you can try is to turn on SecureXL and see if it helps?? You may need your ccsp to help gen you an eval for the test... SecureXL is supposed to help increase performance.... i'm skeptical about this, but a last ditch thingy u can try...